The Italian Data Protection Authority Issues A Decision on AI Sentiment Analysis in the Workplace

AI sentiment analysis in the workplace raises critical questions under both the GDPR and the AI Act, as confirmed by a recent warning issued by the Italian Data Protection Authority against Myndoor S.r.l., a company offering a stress-detection plug-in for Slack and Teams corporate chats.

This decision, adopted on 14 May 2026 offers valuable insights both under the GDPR and the AI Act for any organisation deploying or willing to exploit AI-powered well-being tools in the workplace — and leaves several fundamental questions unresolved.

How the Myndoor AI Sentiment Analysis System Works

The Myndoor plug-in is purchased by employers and made available to employees, who voluntarily activate it. Using an AI model, the system analyses the textual content of chat messages to evaluate psychological stress parameters. Myndoor qualifies itself as the sole data controller, claiming that employers have no access to individual employees’ personal data. However, when at least ten users are active weekly, the system can generate an aggregate stress report available to the employer.

The Italian Data Protection Authority’s GDPR and AI Act Reasoning

The Italian Data Protection Authority acknowledged that, in its current design, the system excludes the employer from processing individual personal data — drawing an analogy with employer-funded health insurance or psychological assistance programmes. Nonetheless, the Garante raised two key regulatory concerns.

First, information about employees’ emotional sphere and psychological stress falls within the category of data whose knowledge is precluded to employers under data protection and labour law principles. Second, the Authority explicitly invoked Article 5(1)(f) of the AI Act (Regulation (EU) 2024/1689), which prohibits the use of AI systems to infer emotions of natural persons in the workplace. The Garante connected this AI Act prohibition with the GDPR principles of privacy by design and by default (Article 25), concluding that functionalities conflicting with sector-specific norms should be deactivated.

Since no actual unlawful data transfer to employers was proven, the Authority limited itself to a formal warning, signalling the risk that the aggregate report could likely violate the applicable framework.

Where Does AI Sentiment Analysis in the Workplace Stand?

Despite this reasoning, several questions remain open — questions that are highly relevant for any jurisdiction implementing the GDPR and the AI Act.

1. Is the sole controllership qualification convincing? The employer purchases the service, decides to make it available, and potentially receives aggregate reports. Could this amount to joint controllership under Article 26 GDPR or even a sole controllership by the employer? The fact that the employer has no access to processed personal data is not relevant per se since the EDPB held that is not a requirement. The decision does not explore this sufficiently.
2. Is a threshold of ten users enough for anonymisation? The Garante itself acknowledges re-identification risks in small organisational units. But the decision provides no guidance on what numerical threshold would be adequate — a gap that leaves considerable uncertainty for companies adopting similar tools. There is no doubt that the reasonable perspective of the employer shall be considered rather than performing an abstract analysis.
3. What are the practical effects of the warning? The Garante does not impose corrective measures, does not order cessation, and does not set compliance deadlines. Must Myndoor eliminate the aggregate report entirely, or would stronger anonymisation suffice? Legal certainty is not fully achieved.

AI Act Implications for AI Sentiment Analysis in the Workplace

AI sentiment analysis in the workplace engages two distinct AI Act pathways, each with concrete compliance consequences.

• Prohibition risk (Article 5(1)(f)). If the functionality is characterised as “emotion inference” in the workplace, the AI Act establishes a hard prohibition on placing such systems on the market, putting them into service for that specific purpose, or using them in that context. For providers, this means product strategy decisions: disable or technically block emotion‑inference features for workplace contexts (including geo‑/context gating); avoid marketing materials or instructions that position the tool for workplace emotion inference; and document the assessment that a given feature is out of scope of the prohibition. For deployers (employers), procurement and use policies should exclude any capability that could infer emotions of workers, even indirectly via proxies.
• High‑risk classification fallback. If the system is not “emotion inference” but is intended to support employment‑related decisions or worker management, it may fall within the AI Act’s high‑risk category for employment use cases. That triggers provider obligations (risk management, data and data‑set governance, technical documentation, record‑keeping/logging, transparency to deployers, human oversight, accuracy/robustness/cybersecurity, conformity assessment and CE‑marking) and deployer obligations (use in accordance with instructions, human oversight, logging retention, monitoring and incident reporting). Public‑sector deployers and certain service providers may also face additional impact‑assessment duties before use.

As showed above, even in this case the appropriate AI Act classification is not straight forward and leads to massive consequences. If the system is deemed not to fall under the prohibited AI systems, providers and deployers should maintain a written “AI Act classification memo” that: (i) explains why stress‑level analytics are not emotion inference (or, if they are, which features are disabled in workplace contexts); (ii) maps the intended purpose(s) and user journeys; (iii) identifies any high‑risk triggers; and (iv) sets technical controls to prevent repurposing (e.g., API constraints, admin toggles, context checks). Deployer contracts should mirror this with purpose‑limitation clauses, prohibited uses, audit/kill‑switch rights, and change‑control notifications.

Even outside the prohibition, high‑risk or non‑high‑risk assistant tools must

1. furnish clear instructions and limitations to deployers and, where relevant, meaningful information to workers about the system’s capabilities, expected accuracy, and appropriate use boundaries. In practice, that means surfacing model scope (what signals are and are not analysed), known error modes, and the fact that outputs are advisory and subject to human review.
2. design for contestability and meaningful intervention (e.g., easy ability to ignore or correct outputs; confidence intervals; warnings against use for disciplinary, hiring or evaluation without corroboration) to enable the human oversight. Deployers should embed those guardrails into internal policies and training.
3. curate representative training/validation data, measure performance across relevant worker cohorts and languages, and document known limitations. Deployers should avoid using outputs to compare teams or individuals where sampling is small or role‑specific patterns make indirect identification likely.
4. maintain logs proportionate to risk, set up channels for incident reporting, and be prepared to suspend features if misuse or material performance degradation is detected. Market‑surveillance authorities may require corrective actions or withdrawal where systems are misclassified or used in prohibited contexts.

Taken together, the AI Act pushes both providers and employers toward conservative design and deployment choices for AI sentiment analysis in the workplace: either remove any functionality that could qualify as emotion inference, or be prepared to operate under a high‑risk regime with rigorous controls, documentation, and demonstrable human oversight.

Clearer Rules Needed for AI Sentiment Analysis in the Workplace

The Myndoor decision signals that European data protection authorities intend to apply a strict approach to AI sentiment analysis in the workplace, at the intersection of GDPR and AI Act enforcement. However, the open questions outlined above — from controllership qualification to the boundaries of the emotion inference prohibition — show that clearer regulatory guidance is urgently needed. Organisations deploying AI-powered well-being tools in professional settings should monitor these developments closely, as the answers will shape the future of workplace AI across the European Union and beyond.

The EU is granting some extra time to companies to deal with high risk AI systems, but that cannot be read as the possibility to take a break since the implementation phase for businesses requirements a major organizational shift. Read more “EU Reaches Deal on AI Act Changes: What the New Compromise Really Means“.